On Wed, Feb 04, 2009 at 09:39:07AM +1100, Oscar Plameras wrote: > 1. System1 - I had 3 test servers running OpenLDAP-2.3.30-3.fc6, > OpenSSL-0.9.8b-15.fc6 on Linux-2.6.22.14-72.fc6. > And these were perfectly running with OPENSSL configured on > 'slapd.conf' as follows: > > lines cut > # > # > TLSCACertificateFile /etc/CA/cacert.pem > TLSCertificateFile /etc/pki/tls/newcert.pem > TLSCertificateKeyFile /etc/pki/tls/newkey.pem > # > # > lines cut > > When I do, > > #service ldap restart, and #ps -ax I have this > > slapd -h ldap:/// ldaps:/// -u ldap > > I can do simple unsecured or secured queries from here. > > 1. System2 - Now, I upgraded 2 test servers running > OpenLDAP-2.4.12-1.fc10, OpenSSL-0.9.8g-12.fc10 on > Linux-2.6.29-159.fc10. > Suddenly I can't start slapd correctly. The problem is after > configuring 'slapd.conf' with OPENSSL, as I did in System1 and I > do a > > #service ldap restart, and #ps -ax > > I found that I only have this process running: > slapd -h ldap:/// -u ldap. The ldaps:/// process did not start > suggesting I have incorrect certificates. > But I can confirm that my certificates are correct with several tests. In older releases, the init script checked for TLS-related settings in slapd.conf and if it found some, forcibly added 'ldaps:///' to the list of values passed to slapd as arguments for its '-h' flag. It looks like it doesn't do that any more. Rather, it expects that you'll set SLAPD_LDAPS to "yes" in /etc/sysconfig/ldap. I'm only guessing as to why, but it looks like one of the benefits of changing the way that the init script works is that you can now disable listening for non-SSL connections without editing the init script. HTH, Nalin -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
